Active Directory Authentication
How Active Directory Authentication Works
User Identity and User Profile
Setting Up Active Directory Authentication
Preparing for Active Directory Authentication
Supported Versions of Active Directory
Network Requirements for Active Directory Authentication
SSL Connections to Active Directory
Configuring SGD for Kerberos Authentication
Active Directory Password Expiry
How to Enable Active Directory Authentication
How Anonymous User Authentication Works
User Identity and User Profile
Application Sessions and Password Cache Entries
How to Enable Anonymous User Authentication
User Identity and User Profile
Setting Up LDAP Authentication
Preparing for LDAP Authentication
Network Requirements for LDAP Authentication
LDAP Bind DN and Password Change
Authentication to Novell eDirectory
How to Enable LDAP Authentication
How SecurID Authentication Works
User Identity and User Profile
Setting Up SecurID Authentication
Configuring SGD Servers as Agent Hosts
How to Configure an SGD Server as an Agent Host
How to Enable SecurID Authentication
How Third-Party Authentication Works
User Identity and User Profile
User Identity and User Profile
Use Default Third-Party Identity
User Identity and User Profile
Setting Up Third-Party Authentication
How to Enable Third-Party Authentication
SGD Administrators and Third-Party Authentication
Trusted Users and Third-Party Authentication
Information for Application Developers
How to Create a New Trusted User
How UNIX System Authentication Works
Search Unix User ID in Local Repository
User Identity and User Profile
Search Unix Group ID in Local Repository
User Identity and User Profile
User Identity and User Profile
UNIX System Authentication and PAM
How to Enable UNIX System Authentication
How Windows Domain Authentication Works
User Identity and User Profile
How to Enable Windows Domain Authentication
Passwords, Domains, and Domain Controllers
How to Specify a Domain Controller on a Different Subnet
Tuning Directory Services for Authentication
Filtering LDAP or Active Directory Logins
How to Configure a User Login Filter
How to Configure the Group Login Filter
How to Create an Active Directory Service Object
How to Create an LDAP Service Object
Search Only the Global Catalog
Active Directory Authentication and LDAP Discovery
Troubleshooting Secure Global Desktop Authentication
Setting Log Filters for Authentication Problems
Denying Users Access to SGD After Failed Login Attempts
How to Enable the Login Failure Handler
How to Change the Number of Login Attempts
Users Cannot Log In to Any SGD Server
Using Shared Accounts for Guest Users
How to Share a User Profile Between Users
Solaris OS Users Cannot Log in When Security is Enabled
An Ambiguous User Name Dialog Is Displayed When a User Tries to Log in
3. Publishing Applications to Users
7. SGD Servers, Arrays, and Load Balancing
B. Secure Global Desktop Server Settings
SGD is designed to integrate with your existing authentication infrastructure and has the following two methods for authenticating users:
System authentication. SGD checks the user’s credentials against one or more external authentication services, for example a Lightweight Directory Access Protocol (LDAP) directory. See System Authentication Mechanisms for details of the available system authentication mechanisms.
Third-party authentication. An external mechanism authenticates the user and SGD trusts that the authentication is correct. The most common use of third-party authentication is web server authentication. See Third-Party Authentication for more details.
The following are main results of a successful authentication:
A user identity. The name that identifies the user. See User Identity for more details.
A user profile. The user’s SGD-related settings. See User Profile for more details.
Sometimes the user identity and the user profile are the same.
In the SGD Administration Console, you can monitor user sessions and application sessions using either the user identity or the user profile.
Depending on how users are authenticated, SGD can prompt users to change their
password when they try to log in with an expired password. See Password Expiry
for details.
SGD authentication is global. A user can log in to any SGD server in the array with the same user name and password.
SGD Administrators can enable and disable each authentication mechanism independently, as follows:
In the Administration Console, use the Global Settings -> Secure Global Desktop Authentication tab.
On the command line, use the tarantella config command.
A user identity is the name that identify the user. Each authentication mechanism has its own set of rules for determining the user identity.
A user identity is a name assigned by SGD and is sometimes referred to as the fully qualified name. The user identity is not necessarily the name of a user profile in the local repository. For example, for LDAP authentication the identity is the distinguished name (DN) of the user in the LDAP directory.
The user identity is associated with the user’s SGD session, their application sessions, and their entries in the application server password cache.
A user profile controls a user’s SGD-specific settings. Depending on whether or not you use an LDAP directory to assign applications to users, a user profile can also control the applications a user can access through SGD, sometimes called webtop content. Each authentication mechanism has its own set of rules for determining the user profile.
A user profile is always an object in the local repository and is sometimes referred to as an equivalent name. A user profile can be a special object called a profile object stored in the System Objects organization. For example, for LDAP authentication the default user profile is o=System Objects/cn=LDAP Profile.
The following table lists the available system authentication mechanisms and describes the basis for authentication.
Table 2-1 System Authentication Mechanisms
|
When a user logs in, the enabled authentication mechanisms are tried in the
order they are listed in System Authentication Mechanisms. When you configure SGD authentication, the Administration
Console shows the order in which the mechanisms are tried. The first authentication
mechanism that authenticates a user “wins” and no further authentication mechanisms are tried.
SGD can handle the expiry of the user’s password if configured to do so.
When a user attempts to log in to SGD with an expired password, the Aged Password dialog displays. This dialog does the following:
Confirms that the password has expired
Enables the user to enter and confirm a new password
If the new password is accepted, the user is logged in to SGD.
The following table shows which authentication mechanisms support aged passwords.
|
When logging in to SGD, passwords and authentication tokens are only encrypted if there is an Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) connection.
SGD uses external mechanisms for authenticating users. The security of passwords when authenticating users is as follows:
Active Directory authentication uses the Kerberos protocol for authentication, which is secure
LDAP authentication can be configured to use a secure connection
Web server authentication is only secure if the user has an HTTPS connection
All other authentication mechanisms use the native protocols for authenticating users